You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "jbalchan (via GitHub)" <gi...@apache.org> on 2023/06/19 05:21:44 UTC
[GitHub] [nifi] jbalchan opened a new pull request, #7398: NIFI-11686 update elasticsearch client version to fix CVE
jbalchan opened a new pull request, #7398:
URL: https://github.com/apache/nifi/pull/7398
<!-- Licensed to the Apache Software Foundation (ASF) under one or more -->
<!-- contributor license agreements. See the NOTICE file distributed with -->
<!-- this work for additional information regarding copyright ownership. -->
<!-- The ASF licenses this file to You under the Apache License, Version 2.0 -->
<!-- (the "License"); you may not use this file except in compliance with -->
<!-- the License. You may obtain a copy of the License at -->
<!-- http://www.apache.org/licenses/LICENSE-2.0 -->
<!-- Unless required by applicable law or agreed to in writing, software -->
<!-- distributed under the License is distributed on an "AS IS" BASIS, -->
<!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -->
<!-- See the License for the specific language governing permissions and -->
<!-- limitations under the License. -->
# Summary
[NIFI-00000](https://issues.apache.org/jira/browse/NIFI-00000)
# Tracking
Please complete the following tracking steps prior to pull request creation.
### Issue Tracking
- [ ] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
### Pull Request Tracking
- [ ] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
- [ ] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
### Pull Request Formatting
- [ ] Pull Request based on current revision of the `main` branch
- [ ] Pull Request refers to a feature branch with one commit containing changes
# Verification
Please indicate the verification steps performed prior to pull request creation.
### Build
- [ ] Build completed using `mvn clean install -P contrib-check`
- [ ] JDK 11
- [ ] JDK 17
### Licensing
- [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
- [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
### Documentation
- [ ] Documentation formatting appears as expected in rendered files
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jbalchan commented on a diff in pull request #7398: NIFI-11686 update elasticsearch client version to fix CVE
Posted by "jbalchan (via GitHub)" <gi...@apache.org>.
jbalchan commented on code in PR #7398:
URL: https://github.com/apache/nifi/pull/7398#discussion_r1234738302
##########
nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml:
##########
@@ -39,7 +39,7 @@ language governing permissions and limitations under the License. -->
Note: the low-level elasticsearch-rest-client remains licensed with Apache 2.0
(https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_license.html) even after the move
of the main Elasticsearch product and elasticsearch-rest-high-level-client to Elastic 2.0/SSPL 1.0 in v7.11.0+ -->
- <elasticsearch.client.version>7.13.4</elasticsearch.client.version>
+ <elasticsearch.client.version>7.17.10</elasticsearch.client.version>
Review Comment:
Sure, I'll look into those OWASP first.
Closing this PR for now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] ChrisSamo632 commented on a diff in pull request #7398: NIFI-11686 update elasticsearch client version to fix CVE
Posted by "ChrisSamo632 (via GitHub)" <gi...@apache.org>.
ChrisSamo632 commented on code in PR #7398:
URL: https://github.com/apache/nifi/pull/7398#discussion_r1234309246
##########
nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml:
##########
@@ -39,7 +39,7 @@ language governing permissions and limitations under the License. -->
Note: the low-level elasticsearch-rest-client remains licensed with Apache 2.0
(https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_license.html) even after the move
of the main Elasticsearch product and elasticsearch-rest-high-level-client to Elastic 2.0/SSPL 1.0 in v7.11.0+ -->
- <elasticsearch.client.version>7.13.4</elasticsearch.client.version>
+ <elasticsearch.client.version>7.17.10</elasticsearch.client.version>
Review Comment:
Suggest checking the suppressions (and their justifications) in the OWASP Dependency Check [suppression.xml](https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L107) - there's are several for Elasticsearch, have you detected a known "false positive" that instead you can suppress/ignore in your own checks?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] ChrisSamo632 commented on a diff in pull request #7398: NIFI-11686 update elasticsearch client version to fix CVE
Posted by "ChrisSamo632 (via GitHub)" <gi...@apache.org>.
ChrisSamo632 commented on code in PR #7398:
URL: https://github.com/apache/nifi/pull/7398#discussion_r1234305758
##########
nifi-nar-bundles/nifi-elasticsearch-bundle/pom.xml:
##########
@@ -39,7 +39,7 @@ language governing permissions and limitations under the License. -->
Note: the low-level elasticsearch-rest-client remains licensed with Apache 2.0
(https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_license.html) even after the move
of the main Elasticsearch product and elasticsearch-rest-high-level-client to Elastic 2.0/SSPL 1.0 in v7.11.0+ -->
- <elasticsearch.client.version>7.13.4</elasticsearch.client.version>
+ <elasticsearch.client.version>7.17.10</elasticsearch.client.version>
Review Comment:
The problem with upgrading this version is documented in the comment above within the `pom.xml` - this is likely to break connectivity to any non-Elastic based services that use the Elasticsearch API (e.g. AWS OpenSearch)
What CVE are you attempting to address and does it impact these Elasticsearch low-level REST API or (more likely) the Elasticsearch server at this version, which **is not** used by NiFi?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] jbalchan closed pull request #7398: NIFI-11686 update elasticsearch client version to fix CVE
Posted by "jbalchan (via GitHub)" <gi...@apache.org>.
jbalchan closed pull request #7398: NIFI-11686 update elasticsearch client version to fix CVE
URL: https://github.com/apache/nifi/pull/7398
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org